RE: Hacking a Homemade forum..

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 21-11-05 01:43

Okay, I found a possable exploit. The "anti-bot" system you have on the signup forums don't work. A bot could easily bypass that because of the fact that the anti-bot codes end up in the source of the webpage in raw data. Let me explain this exploit.

Lets say someone creates a bot program to, for what ever reason, create a large amount of accounts. Let's say thousands in attempt to flood your server.

Example (theory):

This is pure theory. I have no tested it, it is based off my knowlage.

A bot program connects to port 80 and uses the GET method to return HTML for the register page. The bot then reads the returned data (the HTML source of that page) and because the generated anti-bot codes are posted on the page source in regular string format (raw, text, what ever you want to call it), it can simply get the anti-bot codes right off the returned data! It can then input the rest of the data (e-mail, user, password, etc.) and use the returned anti-bot codes to submit it.

In simple words, the anti-bot codes are visible in the source of the webpage... Which in theory (based off my knowlage), can be exploited.

Please anyone correct me if I have made any mistakes or have explained anything poorly.

Hope this helps!

P.S. I also sugguest you only have one anti-bot input. It would make it look a little more professional.

Edited by on 21-11-05 02:59

Author

RE: Hacking a Homemade forum..

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 21-11-05 03:02

I have known about this "exploit" for a while. I just said that to code in GD and advanced PHP image codes is very complex. I will do it later in development, as the board is no-where near complete. If you cant find any other "expliots" then woot!

Author

RE: Hacking a Homemade forum..

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 21-11-05 03:13

I dont know how many people have figured out the Admin COntrol Centers Location, but: http://www.programmer-scripts.com/NextGenBoard/ACC/
Hack it. Try and do something
Oh dear! The documentation is here:
http://www.programmer-scripts.com/Document1/

yeah. The D is capital. Forum screwing up..
Sorry

Edited by on 21-11-05 03:23

Author

RE: Hacking a Homemade forum..

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 21-11-05 03:42

Ah yes, it is. Hmmm, just an idea. This may ligthen things up a bit, because I can not disagree with you when you say it is complex.

What if you a PHP script that displayed an image and set a variable for the anti-bot code... Then for each image loaded there would be a different code, and it would check the string vairable that was assigned when the image was loaded and compare it to the input field.

For example:

AD426CKE5.gif : code=5c532f84m4a
DVCV1CA52.gif : code=v367svr63adv

And so on...

So if it randomly set AD426CKE5.gif as the image for the anti-bot code, the picture would display the text "5c532f84m4a" and check to make sure the user has entered that text in the input field. Make sure the image file name and the actual text it displays (anti-bot code too) are different, or the bot could "leach" right off the file name it's self!

Just an idea.

Hope this helps as well!

Edited by on 21-11-05 03:45

Author

RE: Hacking a Homemade forum..

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 21-11-05 03:49

The actual method I would be using is that The gd image has random amounts of characters. Then each character is inputed into the standard "Images/GD.gif", and then they are outputed. Then the possibility is assigned to a variable, and the variable is set into a database. Then the next page checks if the variable, the field, and if the user inputed is the same. Some bots are made to keep trying They could be easily coded to repeat until one possibility is listed.

Author

RE: Hacking a Homemade forum..

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 21-11-05 03:55

Ah, that's true. You could make some kind of thing that limits the logins per minute. You know, that kind of thing. Or you can make it so 3 wrong passwords and you have to wait three minute before logging in again. Anything like that should stop, if not cripple in some way, a bot.

Edited by on 21-11-05 04:01

Author

RE: Hacking a Homemade forum..

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 21-11-05 04:04

Yah, I agree, and that isnt *too* heavy on coding for me. But I want to keep this forum from blubbering to death. So That means I have to NOT make the database's huge. Then again, when this entire forum is "Done", It will become a Beta. Then I have to add, delete, correct, modify, and all that fun stuff to the code

Author

RE: Hacking a Homemade forum..

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 26-11-05 20:42

Major update. Change themes, ect! Then you can also make a thread. thread.php is in the works, and soon beta one will be up!

Almost here everyone! I need someone to actually try and hack it! I am updating everything, but it might be a while! Code is becoming commented, and I need you to hack it!

Author

RE: Hacking a Homemade forum..

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 27-11-05 01:33

working on it undercovernoob all those login request are probably me nailing your login

Author

RE: Hacking a Homemade forum..

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 27-11-05 02:22

i managed to delete a few user accounts, by inputting a load of XSS attempts, profile.php?id= doesnt go over 11 any more, even though there are more.

Author

RE: Hacking a Homemade forum..

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 27-11-05 02:33

WilleH, I'm not sure what you mean.

Explain the XSS you used, as it wouldn't exactly be XSS if you're deleting SQL data.

I know these arent SQL commands, but somehow one of these or some of the others i tried has screwed something up, because after i register with some of these as usernames im not given a user ID.

Go to: http://www.programmer-scripts.com/NextGenBoard/index.php then it shows the newest user, click on it, the profile?id= doesnt contain a value, as if ive not been given an ID. It says they have 18 users, yet there arent any ?id= over 11. i registered with an account called willeh and my id was over 11, and i could view my profile. But, after i entered some of the above combinations i was then unable too.